OpenSUSE MicroOS, Transactional-Server distros

Hey,

I haven’t tried it yet, but there’s a distro created by OpenSUSE that’s “their answer to the rpm-ostree model” created by Fedora Core, Ubuntu Core, etc. that uses current package-maintainers’ .rpm files on their read-only filesystem that lends itself very well to the snap package system.

It’s still fledgling, but here’s one user’s reports on using it as a desktop. Somewhere in here or his previous post I saw his instructions on how to shoehorn snapd onto his system: https://dariofaggioli.wordpress.com/2021/06/18/microos-as-your-desktop-prime-time/

If snapd were an official package, it could really help get this desktop paradigm off the ground.

Also, how much truth is there to this comment by former OpenSUSE chair?: https://www.reddit.com/r/openSUSE/comments/mafb0v/snaps_on_microos/

snapd has failed every security audit ever conducted by SUSE/openSUSE and upstream have not made any of the required adjustments to make the software acceptable for use in SUSE/openSUSE distributions.

The only submission I’ve personally seen to OpenSUSE:Factory is from 2018, so I’m curious to know if that’s what the former chair is referring to.

Thanks

The audit bug is still there for you to read and make you own opinion: https://bugzilla.opensuse.org/show_bug.cgi?id=1127368#c33 Things didn’t move forward since then, as @zyga left the team and nobody took over, while at the same time we have a bunch of requests for features and bugfixes coming through different channels. I keep the package in system:snappy up to date and maybe at some point we’ll be able to pick this up again.

Well we do appreciate you keeping it going, I’m sure it’s very popular (necessary for some of my software).

BTW, I know literally nothing about AppArmor audits, but I can share a tail of audit.log, was just using vscode in a snap, and have a few other random ones:

type=CRED_REFR msg=audit(1642292552.097:500): pid=3089 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_START msg=audit(1642292552.097:501): pid=3089 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:session_open grantors=pam_keyinit,pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=SERVICE_START msg=audit(1642292569.237:502): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=snapperd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1642292606.277:503): pid=3089 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:session_close grantors=pam_keyinit,pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=CRED_DISP msg=audit(1642292606.277:504): pid=3089 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_ACCT msg=audit(1642292606.285:505): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:accounting grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_CMD msg=audit(1642292606.285:506): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='cwd="/home/avery/node-dev/week-6/ReduxToDoChallenge" cmd=7A797070657220696E20636F6465 exe="/usr/bin/sudo" terminal=pts/3 res=success'
type=CRED_REFR msg=audit(1642292606.285:507): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_START msg=audit(1642292606.285:508): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:session_open grantors=pam_keyinit,pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=SERVICE_STOP msg=audit(1642292630.325:509): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=snapperd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1642292637.681:510): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=snapperd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1642292654.965:511): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:session_close grantors=pam_keyinit,pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=CRED_DISP msg=audit(1642292654.965:512): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=SERVICE_STOP msg=audit(1642292714.990:513): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=snapperd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Not sure if that tells you anything. If you have a sec to go over it, maybe you could tell me what I’m looking for, or point me in the direction of some resources you recommend for learning how to audit these. I’m probably a decent guinea pig.

Thanks

PS: adding snapd is in a guide for setting up MicroOS desktop now (the read-only Silverblue-ish OS) written by none-other than a SUSE employee, so they can’t be THAT bad…

This is just an audit trail. None of the logs seem to be related to snaps. From what I can tell, this is just a sudo command which ran a couple of times and thus a new session was created. The systemd bits in the log suggest that a snapperd service ran and finished.

LOL, I didn’t even notice, it was tracking snapperd and not snapd, that was an epic fail. snapperd is the btrfs snapshot daemon

I’m pretty sure I remember looking for snapd, so I’m not sure why the audit program gave me these results, but I definitely should have looked them over more closely before posting them up like that, sorry. I was using the AA audit front-end in YaST.